Auditing Operating Systems Overview Operating system: Is a computer control program. It allows users and their application to share and access common computer resources such as: Processors. Main memory. Databases. Printers. Operating System Objectives OS Tasks are as follows: Translate high- level language Allocate computer resources Manage tasks Operating System Objectives Translate high-level language * It translates high-level languages, such as C++, BASIC, and SQL, into the machine-level language that the computer can execute. * The language translator modules of the operating system are called compilers and interpreters. Operating System Objectives Allocate computer resources *The operating system allocates computer resources to users, workgroups, and applications. * This includes assigning memory work space to applications and authorizing access to terminals, telecommunications links, databases, and printers. Operating System Objectives Manage tasks *The operating system manages the task of job scheduling and multiprogramming. *At any point, numerous user applications (jobs) are seeking access to the computer resources under the control of the operating system. Operating System Objectives Jobs are submitted to the system in 3 ways: Directly by the system operator. From various batch- job queues. Through the telecommunications links from remote workstations. Operating System Objectives Fundamental control objectives: 1. The operating system must protect itself from users. 2. The operating system must protect users from each other. 3. The operating system must protect users from themselves. 4. The operating system must be protected from itself. 5. The operating system must be protected from its environment. Operating system security Overview Operating system security: It involves policies, procedures and controls that determine who can access the operating system, which resources (files, programs, printers) they can use and that they can take. Overview Components of a secure operating system: 1. Long- on procedure. 2. Access token. 3. Access control list. 4. Discretionary access privilege. Long- on procedure A formal log-on procedure is the operating systems first line of defense against unauthorized access. When the user initiates the process, he or she is presented with a dialog box requesting the users ID and password. The system compares the ID and password to a database of valid users. Access Token If the log-on attempt is successful, the operating system creates an access token that contains key information about the user, including: user ID Password user group and privileges granted to the user. An access control list is assigned to each IT resource (computer directory, data file, program, or printer), which controls access to the resources. These lists contain information that defines the access privileges for all valid users of the resource. Access Control List The central system administrator usually determines who is granted access to specific resources and maintains the access control list. In distributed systems, however, end users may control (own) resources. Resource owners in this setting may be granted discretionary access privileges, which allow them to grant access privileges to other users. Discretionary Access Privileges Threats to Operating System Integrity Overview Operating system control objectives may not be achieved because of accidental or intentional threats. Accidental threats include hardware failures or Errors in user application programs. Intentional threats to the operating system are most commonly attempts to illegally access data or violate user privacy for financial gain Privileged personnel who abuse their authority. Individuals, both internal and external to the organization, who browse the operating system to identify and exploit security flaws, Individuals who intentionally (or accidentally) insert computer viruses or other forms of destructive programs into the operating system. Sources of Exposures Operating System Controls and Audit Tests If operating system integrity is compromised, controls within individual accounting applications that impact financial reporting may also be compromised. For this reason, the design and assessment of operating system security controls are SOX compliance issues. Overview Controlling Access Privileges User access privileges are assigned to individuals or workgroups authorized to use the system. The way access privileges are assigned influences system security. Privileges should, therefore, be carefully administered and closely monitored for compliance with organizational policy and principles of internal control. Audit Objectives Relating to Access Privileges The auditors objective is to verify that access privileges are granted in a manner that is consistent with the need to separate incompatible functions and is in accordance with the organizations policy. Audit Procedures Relating to Access Privileges To achieve their objectives auditors may perform the following tests of controls: Review the organizations policies for separating incompatible functions and ensure that they promote reasonable security. Review the privileges of a selection of user groups and individuals to determine if their access rights are appropriate for their job descriptions and positions. Review personnel records to determine whether privileged employees undergo an adequately intensive security clearance check in compliance with company policy. Review employee records to determine whether users have formally acknowledged their responsibility to maintain the confidentiality of company data. Review the users permitted log-on times. Permission should be commensurate with the tasks being performed. Audit Procedures Relating to Access Privileges Password Control A password is a secret code the user enters to gain access to systems, applications, data files, or a network server. Password Control The most common forms of contra-security behavior include: 1. Forgetting passwords and being locked out of the system. 2. Failing to change passwords on a frequent basis. 3. The Post-it syndrome, whereby passwords are written down and displayed for others to see. 4. Simplistic passwords that a computer criminal easily anticipates. Password Control The most common method of password control is the reusable password. The user defines the password to the system once and then reuses it to gain future access. To improve access control, management should require that passwords be changed regularly and disallow weak passwords. Software is available that automatically scans password files and notifies users that their passwords have expired and need to be changed. Password Control The one-time password was designed to overcome the aforementioned problems. Under this approach, the users password changes continuously. Password Control Audit Objectives Relating to Passwords The auditors objective here is to ensure that the organization has an adequate and effective password policy for controlling access to the operating system. Audit Procedures Relating to Passwords Tests to achieve this objective: Verify that all users are required to have passwords. Verify that new users are instructed in the use of passwords and the importance of password control. Review password control procedures to ensure that passwords are changed regularly. Review the password file to determine that weak passwords are identified and disallowed. Audit Procedures Relating to Passwords Tests to achieve this objective: Verify that the password file is encrypted and that the encryption key is properly secured. Assess the adequacy of password standards such as length and expiration interval Review the account lockout policy and procedures.
Controlling Against Malicious and Destructive Programs Threats from destructive programs can be substantially reduced through a combination of technology controls and administrative procedures. Controlling Against Malicious and Destructive Programs The following examples are relevant to most operating systems. Purchase software only from reputable vendors and accept only those products that are in their original, factory-sealed packages. Issue an entity-wide policy pertaining to the use of unauthorized software or illegal copies of copyrighted software. Examine all upgrades to vendor software for viruses before they are implemented. Controlling Against Malicious and Destructive Programs Inspect all public-domain software for virus infection before using. Establish entity-wide procedures for making changes to production programs. Establish an educational program to raise user awareness regarding threats from viruses and malicious programs. Install all new applications on a stand-alone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or local area network (LAN) server. Controlling Against Malicious and Destructive Programs Routinely make backup copies of key files stored on mainframes, servers, and workstations. Wherever possible, limit users to read and execute rights only. Require protocols that explicitly invoke the operating systems log-on procedures to bypass Trojan horses. Use antiviral software (also called vaccines) to examine application and operating system programs for the presence of a virus and remove it from the affected program. Audit Objective Relating to Viruses and Other Destructive Programs The auditors objective is to verify that effective management policies and procedures are in place to prevent the introduction and spread of destructive programs, including viruses, worms, back doors, logic bombs, and Trojan horses. Audit Procedures Relating to Viruses and Other Destructive Programs Through interviews, determine that operations personnel have been educated about computer viruses and are aware of the risky computing practices that can introduce and spread viruses and other malicious programs. Verify that new software is tested on standalone workstations prior to being implemented on the host or network server. Verify that the current version of antiviral software is installed on the server and that upgrades are regularly downloaded to workstations. System Audit Trail Controls System audit trails are logs that record activity at the system, application, and user level. Audit trails typically consist of two types of audit logs: (1) Detailed logs of individual keystrokes and (2) event-oriented logs. Keystroke monitoring involves recording both the users keystrokes and the systems responses. Event monitoring summarizes key activities related to system resources. System Audit Trail Controls Setting Audit Trail Objectives Audit trails can be used to support security objectives in three ways: (1) Detecting unauthorized access to the system, (2) Facilitating the reconstruction of events, and (3) Promoting personal accountability. Detecting unauthorized access It can occur in real time or after the fact. The primary objective of real- time detection is to protect the system from outsiders attempting to breach the system control. Reconstructing Events Audit trials analysis can be used to reconstruct the steps that led to events such as system failures or security violations by individuals. Personal Accountability This capability is a preventive control that can influence behaviour. Individuals are less likely to violate an organizations security policy when they know that their actions are recorded in an audit log. Implementing a system audit trial: Information contained in audit logs is useful to accountants in measuring the potential damage and financial loss associated with application errors, abuse of authority, or unauthorized access by outside intruders. Audit objectives relating to system audit trail: The auditors objective is insure that the established system audit trial is adequate for preventing and detecting abuses. Auditing Networks Intranet Risk Intranet consists of small LANs and large WANs that may contain thousands of individual nodes. Unauthorized and illegal employee activities internally spawn intranet threats. The threat of the employees is significant because of their intimate knowledge of system controls and/ or the lack of controls. Interception of Network Messages Network administrator routinely use commercial available sniffer software to analyze network traffic and detect bottlenecks IP Spoofing IP spoofing is a form of masquerading to gain unauthorized access to a Web server and/or to perpetrate an unlawful act without revelling ones identity. Denial of Risk Attack. SYN Attack. Smurf Attack. Internet Risk Risk From Equipment 1.Communication lines. 2.Hardware. 3.Software. Controlling Networks Controlling Risk from subversive threats: Firewalls. Controlling denial service attack. Encryption. Encryption is the conversion of data into secret code for storage in databases and transmission over network. Controlling Networks Digital signatures. Digital certificate. Message sequence numbering. Message transaction log. Request- Response Technique. Call- back devices. Auditing Electronic Data Interchange (EDI) Auditing Electronic Data Interchange The intercompany exchange of computer- processible business information in standard format. Benefits of EDI Data keying. Error reduction. Reduction of paper. Automated procedure. Inventory reduction. Auditing PC- Based Accounting System PC-System Risk and Control Operating system weaknesses. Weak Access control. Inadequate segregation of duties. Weak backup procedures. Risk of virus infection